Posted
by
timothy
on Wednesday July 09, 2003 @10:58AM
from the happenstance-meeting dept.

VladDrac writes "Guido van Rossum, the author of the Python programming language, announced at OSCON last night that he's leaving zope.com, to work for a new startup called 'Elemental Security', founded by Dan Farmer (known from several security tools such as Satan). Guido leaving Zope.com will also probably mean that he will be no longer involved in Zope3 development, but hopefully he'll have more time to spend on Python development." Guido says that he's excited about his new employer, but that nothing substantial will change about Python as a result of the move. "It's just that I'll be working from the West coast." Python is "already quite secure," he says, and will be the basis of an upcoming security product ("just getting started") from Elemental.

No doubt he'll have much more time to dedicate to his programming. Python sounds pretty interesting, and I dug through the BitTorrent source a bit to learn more about it, but it also seems pretty complex for what the end result is (as opposed to, say, Perl.) With a bit of work towards a more logical parse tree/DTD, I could see Python easily surpassing Perl as a strongly-typed effective scripting language.

"Python has been an important part of Google since the beginning, and remains so as the system grows and evolves. Today dozens of Google engineers use Python, and we're looking for more people with skills in this language." said Peter Norvig, director of search quality at Google, Inc

I've tried and I even have friends already working there to use as references. My impression has been that for any kind of fun job there you need a PhD or at least a Masters. Oh well.. we can always dream.

A more interesting project would be to make a search engine that functions as well as Google on a much more modest budget. That's an ongoing game of mine. I figure if I ever succeed maybe they'll hire me finally.;)

This is a question, I have little
experience with Python and until I finish
my thesis that will not change.

I read somewhere in usenet that python is relatively slow,
even for interpreted language, and my (extremely
limited) experience is the same. A while ago, I did a simple text converter in python as
an exercise. Very basic stuff, read from file, check
the value of each symbol, change with another
value if necessary,
write into another file. It was quite slow
on texts of moderate size. I mean, if it
we

Sure, Python compared to C is slow, if you use calls written in Python rather than C (many Python modules are written in C with Python bindings). But compared to, say, Perl or Ruby? I'd say they're about on par.

Where Python is superior to C is the fact that Python is a higher level language. Easier to code it, easier to get things done, etc.

How were you reading the file? One big chunk, one character at a time, or with an intermediate buffer? An intermediate-sized buffer with data being copied to a new buffer for output will be the most efficient.

Were you trying to make in-place changes to the string? Strings in Python can't change, so with larger inputs you might've been moving a lot more data around behind the scenes.

The obvious reference to Python Web Site [python.org] will give more information. Python often competes in the same space as perl. But, Python is probably more object oriented than perl. The difference being that python is OO from the ground up as opposed to perl where it was added late. Most of Redhat's installation tools and scripts are written in python. A 3d game a few years ago 'Blade of Darkness' was done with mostly python.

Well, maybe, until you use
Ruby [ruby-lang.org]. At that point you realize that Python is by no means OO from the ground up. I like Python, it's one of my favourite languages, and it has been around for years... but while I like Python, I love Ruby because it is the most completely OO language I have ever used, and that is really handy. For a comparison, I'd recommend a
page on the ruby site [rubygarden.org] which is linked to from the python site, and contains a posting to comp.lang.python, so I'm guessing it's not too biased either w

I could see Python easily surpassing Perl as a strongly-typed effective scripting language.

Which unfortunately has nothing to do with the ideas behind Python.
It tends to be much more than "strongly-typed effective scripting language" and if there was some big corporation promoting it as development platform(not even providing support, the guys from the team are doing really good job) , you can bet that Java would had one more serious competitor to worry about...

Off the top of my head:Twisted - a web/chat/anything-you-can-name serverZope - Web Application/CMS type systembittorrent - you know about that oneRed Hat uses Python in a lot of their scripts (I believe)NumPy - used for scientific applications (replacing/augmenting Matlab, fortran, etc)Karamba - KDE desktop eyecandy, written in C++ and scripted with pythonand some really bad stuff I've written for my own amusement.:-)

Off course there's more, but I did say off the top of my head and I don't want to cheat. It's really a nice clean language, that really lends itself to prototyping but still can make great apps.

Python is actually simpler than Perl -- it's designed to be so. HOWEVER, Perl is also designed to do many specific things very simply, so when you need to do one of those specific things it's the fastest way to get it done -- assuming, of course, that you already knew Perl could do it:-).

I'm a Python fan, but I doubt Python will ever surpass Perl -- especially not by adding a "more logical parse tree", since it already has a very simple, consistent, and logical parse tree whereas Perl has more of a parse forest. Python and Perl are just too different; they compete in many areas, but their real strengths are far enough apart to keep them both viable in each other's presence.

Quote: I'm a Python fan, but I doubt Python will ever surpass Perl -- especially not by adding a "more logical parse tree", since it already has a very simple, consistent, and logical parse tree whereas Perl has more of a parse forest.

I've checked Twisted before makeing my choice for Zope. I found it as a sort of new OS, just without kernel. It can work well for embedded systems: imagine jsut kernel and twisted to do everything!

However the Unix way is oppositely different: make many small servers/applications/filters each doing its small function, but doing it very well. In case of twisted I found both web templates and instant messaging rather primitive, comparing to Zope and Jabber. And I don't see any benefits to keep inside the sam

By the way, why doesn't Twisted have "resemblance" with some of Jabber-server for its IM? IMHO new IP protocol will be re-implementing the wheel. Moreover, the implementation of proprietary IM protocols while ignoring the most famous open-source IM protocol (Jabber) should be considered as a shame for any open-source project, don't you think?

Anyway, I dislike the concept of re-implementing such protocols as SSH - it must be very secured, that's why I trust more to OpenSSH (and its libraries). Again, in

GvR: In a strongly typed language, when you change to a different data structure, you will likely have to change the argument and return types of many methods that just pass these things on. You may also have to change the number of arguments, because suddenly you pass the information as two or three parts instead of one. In Python, if you change the type of something, most likely pieces of code that only pass that something around and don't use it directly don't have to change at all.

Now you might be splitting hairs and saying that "static" means known at compile time and "strong" means type errors are always detected, but in common parlance "strong typing" includes static typing. For the pedants, there's Sebesta:

...we define a programming language to be strongly typed if type errors are always detected. This requires that the types of all operands can be determined, either at compile time or at run time.

This criterion is met by very few real-world languages. Most imperative and object-oriented languages include type coercion [python.org] which contradicts this property. It is interesting to note that future Python development is moving towards still stronger typing -- and, dare I say it -- functional-style constructs.

Of course, the pragmatic thing to do is to understand strong/weak typing not as binary, but as a continuum. In this case, Haskell is more strongly typed than Ada is more strongly typed than Python is more strongly typed than C++ is more strongly typed than C is more strongly typed than FORTRAN. It looks like Python 3.0 will be moving up the chain, however.

The definition:...we define a programming language to be strongly typed if type errors are always detected. This requires that the types of all operands can be determined, either at compile time or at run time.

You said: This criterion is met by very few real-world languages

Python and Java are two examples of languages that meet this criteria. They detect type errors either at compile time (in the Java-without-casting case) or at runtime (in the Python or the Java-with-casting case).

IIRC, Java doesn't support unsafe coercion. You can cast a value to something, but the runtime will check if that value is actually of that type and throw an exception if it isn't. Coercion in Python works the same way. Unless I'm misunderstanding your use of 'coercion'?

Since both Java and Python support type coercion, it is not the case that for any given Java or Python program, type errors will always be detected -- namely, in programs where coercion is used, the guarantee no longer holds.

In a system with type coercion, errors are caught at runtime. That's why both Java and Python have TypeError/ClassCastExceptions. If you read your own definition you'll see that it specifically allows for catching of errors at runtime.

So Java has both static and dynamic typing? Or do OO languages just confuse things?

Neither. Your argument is specious, because what you're referring to is inheritance, not typing. Inheritance is another aspect of OOP that says "If my parent is an Object(), by definition, I am an Object(), too." However, in your example, myvar will only have the properties and methods of Object(), not Foo(), unless you cast myvar like ((Foo)myvar).someFooMethod() (which disproves your argument, by the way).

Your hard time with Python is caused by your own reading disability and your fear of learning a new language, not by any flaw in the Python language.

Indentation without brackets makes block nesting much more readable and obvious, than brackets without indentation.

Perl code is fundamentally unreadable, and readable Perl code is the extremely rare exception to the rule. Perl does nothing to encourage people to write good code -- just the opposite. But Python supports and encourages clean maintainable read

We may have to agree to disagree. I understand your assertion but I will maintain that the choice of programming language does in fact affect the readability of the solution. This is especially true when you consider that the choice of a language often goes hand in hand with participation in a given software sub-culture. That plays right into your idea of readability being more a question of the programmer in question rather than the language, so we may be saying the same thing from different perspective

I think we're on the same side here. language selection shouldn't determine readability, but I agree it is a factor.

I've long though there needs to be a braces option in python. Like you say, it is a minor issue, and too many people harp on it. There are nits to pick with all languages (except maybe ruby, but I haven't looked at it enough yet to say). You can't please everyone, nor should you.

Though I do believe it is much easier to write readable, maintainable Python code than it is Perl code. I certainly find that I can understand my Python six months later. Perl is typically a different story.

Ada??! Isn't that the Wireless Robot Programming Language designed by the U.S. Government, and promoted by IBM? Ada's main feature isn't just strong typing -- it's specifically designed for flipping out and killing people! After all, robots are mammals!!!

Ada's a much better programming language for destroying Microsoft than Java, because Ada has built-in support for cutting off heads all the time without even thinking about it, instead of silly promises about "write once run anywhere" and those totally ho

The short version is that there isn't one (+):: Integer -> Integer -> Integer and one (+):: Float -> Float -> Float, but rather a single (+):: Num a => a -> a -> a. It is manifestly never possible to have a type error in this situation, so Haskell is still strongly typed.

My point was not that Haskell is not strongly-typed, but that Python is not weakly-typed because one can add an integer and a float.

It's hard to define, but I will swear to anyone that aesthetics are very important in code. Case in point: I'm currently refactoring somebody else's Python code. It sucks. There isn't any one specific thing about it that sucks, but it is still shit. Working shit, but shit nonetheless. The parts that I've worked over are much easier to read and change.

Messy code must die!---and Python is a great language to kill it with when done properly.

Last night at OSCON I announced that I am moving to California. Ihave accepted a new job at Elemental Security, a security softwarestartup in San Mateo. You may have heard of one of the founders, DanFarmer, who is the (co-)author of several well-known free securitychecking programs: Satan, Titan and The Coroner's Toolkit.

Elemental is a brand new company, and I can't say much yet about theproduct, except that it will be aimed at enterprise security and usePython. I'm very excited about working with Dan on its design andimplementation.

I'm also excited about moving to California, which has long been adream of mine. I'm looking forward to getting together with the manylocal Python users and developers once I'm settled; right now, my lifeand that if my family is total chaos because we're trying to find ahome and move into it by August 1st.

I will still have time for Python (it's in my contract) and I willcontinue to lead Python's development. The other PythonLabs folks:Fred Drake, Jeremy Hylton, Barry Warsaw and Tim Peters, are staying atZope, by the way.

But unfortunately, this move pretty much ends my involvement in Zope3. I've signed a contributors agreement, but with the new job and myPython work I don't expect to have much time for Zope. So this isalso a goodbye, of sorts. I've enjoyed working with many of you, Zope3 developers, and I expect we'll run into each other at some futurePython event.

In the mean time, I'm here at OSCON with a busy schedule and limitedaccess to my email, and the following weeks I will be in transition,so please be kind if I don't reply immediate when you write me.

Yes, bash.cx and bash.org are related, but they are not the same thing. They run different scripts that were written by the same person, but they are not the same site. Both are forks of the original IRC Quote Database that was located at geekissues.org/quotes/

IMHO, it won't be secure until they bring back Bastion and Rexec and get them right this time. Actually, all I want is to be able to remove all the builtins that access the system directly (so Python can't crash your computer, delete files, or otherwise access the filesystem) - but while the language and API documentation is pretty good, the compiler variables are wholly unkown.

For embedding into applications - the application should be handling all the content moving in and out of the scripting engine. Alternately, to allow the user to develop a secure, proprietary filesystem or file access or system calling system within an extension module, independant of the unsafe main filesystem. This puts the burden of security on the person building the application - not the end user who will be scripting (which is unsafe) or on Python itself.

IMHO, it won't be secure until they bring back Bastion and Rexec and get them right this time.

read the python mailing lists for a full explanation. They were yanked because they not only didn't do the job right _it is not possible_. Restricting disk/CPU/memory usage is an operating system job. Trying to build it into the language (like java) just makes things really complicated (for both core developers and users) and still doesn't work.

Let's say that you download python gui scripts for a web browser---python applets. I believe this is something that Grail can/could do. How would you run them safely? I'm not attacking you; I'm curious.

... is yet another guy named "Guido" wanting everyone to admire his "Python".

SoCal is the land of double entendre and uber-image, Mr. Van Rossum. We don't care about your substance, we want to know about your style. So the question the really needs to be answered now is,

Python: Is It Sexy Enough? Join us on E! when we ask your favorite celebs just what scripting language they use for their daily information processing! We know Pamela Anderson loves Perl, and Carmen Daily is crazy about Java, but what happens when these two sexy stars get their hands on Python? Watch at 11 and find out!

I tried satan for my network security. Cost me my soul, but it's damn good. One kid tried to hack around our proxy to play games at work, and he got engulfed in flame and dragged down to the 3rd layer of hell for the rest of the day! Sure, I have to use a massive water cooling system to keep the firewall (and I mean a wall of fire that I run the ethernet cable through) from melting the other servers, but when the dark lord is watching your back, you don't even have to think twice about security.

Since this last one is particularly telling, I will quote the relevant text for our impatient readers:

I think Guido's rationale for removing all these features will be
widely misunderstood. Me channeling him: it is not that he believes
that the architectures developed were inherently incapable of
providing security. Instead, he feels that no "expert" for these
matters has reviewed these architecture for flaws, and that the
continuing maintenance of these things isn't going to happen.

If this understanding is correct, then any new approaches will likely
suffer from the same fate. Unless somebody steps forward and says: "I
am a security expert, and I guarantee that this and that feature is
secure (in some documented sense)", then I think he will dislike any
changes that mean to provide security.

So this not a matter of engineering but of authority. Somebody must
take the blame, and Guido doesn't want to be that someone.

Disclaimer: I love python. However, I am working on a project that depends on rexec, and when I discovered that it was being removed, I was a little annoyed - especially at the reasoning behind the decision.

Me too - the problem is that there is no longer any mechanism for running untrusted code. I would be satisfied with a bare-bones approach - the ability to compile the Python interpreter with no access to the system (no calling sys, no access to filesystem) so that everythin would be done through extension modules. This would be not nearly as complicated as Rexec, and should be doable with a reasonable degree of security.

The word "secure" is just as misunderstood and abused as the word "love". It has many different meanings in many different contexts. Programming in Java doesn't protect your children from terrorists.

Unless the security product allows untrusted users to enter and execute Python code, then there's no contradiction in using Python to develop a secure application. Security isn't something that springs from the programming language itself -- it depends on what you do with the language. Security is largely a so

Looking at Guido's Home Page [python.org] I noticed that his picture shows a clean, healthy looking guy with all his hair.
I hereby cast my vote for Guido VanRossum for Least Ugly Open-Source Project Leader.

Zope is a very cool web application system, and while I don't know of Guido's specific contributions I have to assume that they were great. Still, I'm confidant that Zope will carry on.

For those not familiar with Zope, it is a web application server written entirely in Python. It features an object database that, for example, lets you create an image object, and then call it from other code to automatically build your image tag based on the dimensions and title of the image stored in the object.

Zope does have a pretty steep learning curve, if you don't do stuff with "real" web applications (stuff that needs access control lists, user management, templating, etc) it might not be right for you, but it's great for bigger applications. Edd Dumbill talks in a recent blog entry about why Zope is worth learning [usefulinc.com] and DevShed (which runs on Zope) has a good overview [devshed.com].

Guido and Dan Farmer are both smart guys and I'm sure that we can expect good things.

I was experimenting with Zope last year and again during the first half of this year. It's definitely a cool product, but what threw me for now at least was that the documentation is abysmal, at least online.

From what I've been able to tell, there are several editions of the Zope book -- the only up-to-date version [zope.org] of which (currently 2.6) is still work in progress. The rest of the documentation [zope.org] is a mish-mash of user-written howto's, some of which are excellent, some of which are dupes of others, many of which are out of date, and others of which are just badly written. Searching the database of these is hard, and it's very difficult to distinguish well written old ones that are still relevant from newer ones that aren't very useful.

My main problem with it though is that although it focuses hugely on the differences between zope development and regular web development without seriously dealing with implementation examples of common tasks. On and off it took me about a month to figure out how to make a simple form-based login system (similar to slashdot's) and tie it into Zope's user folder system. Co-incidentally The only zope-based website I could find that actually did this was zope.org itself.

I really like Zope and I've shown off how it works to people many times over. But I'll only seriously consider using it more once the documentation is more coherent. At the moment I think that's one of the main places where itfalls over.

I read the Zope Bible [zopebible.com] which I recommend. I haven't looked at the other Zope books, so I don't know how good it is in relation to the others, but it walked me through the basics and I figured the rest out on my own. A lot of time I needed to look at the source code to see how things were working, which speaks poorly for the documentation, but I got the job done.

Also, the way zope.org's login is overridden is default in CMF with the Cookie Crumbler product. I don't know if this is available outside of CMF

We use Zope a lot where I work, so we have ALL the books. The Zope Bible (mentioned by GeorgeH above) is my favorite. However, most printed books make heavy use of the semi-deprecated DTML tags, rather than the more "strategic" ZPT tags, an approach which made sense back when they were written, but not now.

I've developed a production web site in Python and Zope (http://www.Connected.TV [connected.tv]),
and I like Zope a lot, and absolutely love Python. But Zope is much more complicated than it needs to be, and not well documented at all. The Zope developers are certainly aware of those problems, and working to correct them. I don't agree with all the directions they're taking (like the messy dtml and crippled xml page templates that want to be a programming language but aren't quite -- didn't they already make that mistake

As an active Pythonic, and a most interested observer over the last two and a half years, it seesm to me that Guido leaving Zope should not raise any fears whatsoever about the future of Zope. I will explain below. Secondly, Guido's joining the new company is a positive for Python, which I will also explain.
When Guido joined Zope a while back, I was very happy because it was good for Python, as it gave Guido a safe and comfortable corporate home and presumably a good living, while still allowing him to de

PhysicsGenius is a known troll... and it's amusing to see just how many moderators get caught by him. All of his posts have just enough in them to sound intelligent, but they're all very deeply wrong -- usually twisting the facts backwards (such as this one) or flying off into realms of thought usually reserved for the insane.

Maybe some moderators with a clue will beat the grandparent post down now.

On topic - I've known Perl for awhile and am starting to code in Python... the syntax is certainly cleaner,

That's funny. I switched from Perl to Python several years ago and one of the things that I like best about Python is the documentation. Perl's Camel book made a pretty fair reference, but I didn't really like busting out a hard-copy book every time I wanted to look something up. The electronic Perl documentation was pretty nice, but it wasn't quite as comprehensive as the Camel book, and the POD format simply can't compete with Python's documentation. The PDF and HTML formats are nice, but I really like the fact that the Python documentation is available in info format for easy reading in Emacs (complete with a comprehensive index). The indexes in Python's electronic documentation really make a heck of a difference once you start using them. Perl's pile o' man pages simply can't touch Python in this regard (IMHO).

Perl's TIMTOWTDI style means that every time you edit someone else's Perl code you will encounter four or five new Perlisms that you have never seen and that require the Camel book for deciphering. When I was hacking Perl, that meant carring around the Camel book in my laptop bag "just in case." With Python that's no longer a problem.

My guess is that you have gotten use to the structure of Perl's documentation. You know where to find Perl information, and are simply frustrated by the fact that Python requires that you start from scratch with a new set of documentation.

On the other hand, it is possible that we simply have different documentation requirements. What precisely is the problem? "They suck," is not particularly descriptive.

Dang it, I meant to put in some concrete examples but apparantly forgot. Blergh.

First off, I'm using the Python 2.1 docs -- they may be outdated and the more recent 2.2 or 2.3 docs may be better, but 2.1 is what's installed on our development and production boxes, and we dislike changing those kinds of things unless we need to.

The C API docs stink. There's not a single complete example in the doc tree (on python.org) that I've found -- just snippets here and there. There are references that extending Pyth

Woah. Talk about concrete examples. As for your problems with the C API docs, I don't know what to tell you as I have done very little Python + C work, and the bit that I have done was mostly guided by Mark Lutz's book and the fine example of PyGreSQL. It's very likely that your criticisms of that part of the documentation are true. However, my guess is that extending Python via C is still easier than getting your mind around Perl-guts.

Heh. Well, I'm quite literally working on this stuff when not avoiding doing work by reading/., so it's quite fresh.:)

And yes, it is still easier than dealing with Perl-guts... the docs for that (last time I glanced at them, which was years ago) were quite horrid, and I've never tried it myself anyway. Still having issues at the moment (core dump upon import), but investigating the causes and solutions. Things are moving.

The re module does have a sub() function, but that's fairly well documented.

The C API docs stink. There's not a single complete example in the doc tree (on python.org) that I've found -- just snippets here and there. There are references that extending Python is very simple (and, indeed, it does appear to be now that I've found sufficient docs) and there's even tools to automate most of it. But nowhere are the actual tools referenced/linked to, there are calls used without explanation or links to explanation, and the docs suddenly shift between extending and embedding without adequ

Python _is_ more object oriented then VB. VB6 is object based, since there is no inheritence.
(and python supports single and multiple inheritance)
Perl neater then Python? I love both languages but Python programs are amazingly more readable then Perl programs.
Perl slower then Python? not in my experience.
They are really close in performance.
see, http://www.bagley.org/~doug/shootout/
And have you done OO in Perl? compared to Python
it's a pain.
VB code 2-3x shorter then the Python version?
I've h